[Mainline-Build 2708]: IPv6- remote ip prefix is not considered for SG ipv6 rule
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
Trunk |
Fix Committed
|
Undecided
|
Ashok Singh |
Bug Description
I have below sg1 rules:
root@nodeg18:~# neutron security-
+------
| id | security_group | direction | protocol | remote_ip_prefix | remote_group |
+------
| f7b5d5bd-
| 0e44008f-
as per rule it should allow tcp traffic only to cidr prefixes 1.1.1.0/24 and 2002:1::/64.
this SG is attached to VM (2002:1::3) and when I try to ssh to other VM(2002:2::4) in different VN, it goes through and I see flow is created.
root@nodec12:~# flow -l | grep 2002:2::4 -A2 -B2
412304<=>489728 2002:1::3:54602 6 (3)
(K(nh):45, Action:F, Flags:, TCP:SSrEEr, S(nh):45, Statistics:8/2087 UdpSrcPort 49521
--
(K(nh):52, Action:F, Flags:, S(nh):52, Statistics:3/288 UdpSrcPort 56796
489728<=>412304 2002:2::4:22 6 (3)
(K(nh):45, Action:F, Flags:, TCP:SSrEEr, S(nh):57, Statistics:7/2817 UdpSrcPort 60814
this works fine for IPv4 and does not allow traffic to cidr prefixes other than 1.1.1.0/24.
information type: | Proprietary → Public |
Fix under review https:/ /review. opencontrail. org/#/c/ 16739/